|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
04-04-2006, 03:34 PM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2006
Posts: 5
OS: XP
|
Browser obviously Hijacked! Help!!!
Virus scanner AVG reports embeded viruses in java archives.
IE is not behaving properly (just emptying password windows after it is entered). Boot isn't finishing. AVG reports: Java class loader Java Byte/verify This is Hijackthis log Logfile of HijackThis v1.99.1 Scan saved at 23:31:54, on 4.4.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ASUS\Asus Probe\AsusProb.exe C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\WINDOWS\CTHELPER.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Plaxo\s2gc.a01968\PlaxoHelper.exe C:\Program Files\ATI Multimedia\main\ATISched.EXE C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\BitComet\BitComet.exe C:\WINDOWS\system32\winlogon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Dejan\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.delo.si/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\mscb32.dll O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=041406 serial=DR12CNR-9501291-TJQ lang=EN O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\s2gc.a01968\PlaxoHelper.exe -a O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1 O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart O4 - Startup: SiOl.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {3707DB0E-E788-491A-8FA7-8C8B9774AAEB} (DigSigX Control) - https://edavki.durs.si/OpenPortal/Gu...hslDigSigX.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...site.cab?11380 93693234 O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1D3FFBD9-DD6E-4080-809A-1B4D17063E4D}: NameServer = 193.189.160.13 193.189.160.23 O17 - HKLM\System\CCS\Services\Tcpip\..\{EE7A9DBF-9E28-47CC-B17C-C465B1E3F41E}: NameServer = 193.189.160.11,193.189.160.12 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing) Last edited by bassoon; 04-04-2006 at 03:46 PM. Reason: Describing the problem |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
04-08-2006, 12:00 PM
|
#3 (permalink) |
|
Analyst, Security Team
|
Welcome to TSF.
Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK. If you have Java 1.5, do this instead. Start->Control Panel->Java->Settings->Delete Files and click OK and OK. Please make sure that Word Wrap is turned OFF in Notepad before you post your HijackThis log next time. As you can see, the formatting it creates (see the log you posted) makes it harder for us to read it. Post a new HijackThis log with Word Wrap turned off.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-09-2006, 12:45 AM
|
#4 (permalink) |
|
Registered User
Join Date: Apr 2006
Posts: 5
OS: XP
|
Thank you for your answer. I did clean up Java files.
Here is another log after cleanup (without word wrap  )Logfile of HijackThis v1.99.1 Scan saved at 8:42:31, on 9.4.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ASUS\Asus Probe\AsusProb.exe C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\WINDOWS\CTHELPER.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Plaxo\s2gc.a01968\PlaxoHelper.exe C:\Program Files\ATI Multimedia\main\ATISched.EXE C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\Grisoft\AVG Free\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.delo.si/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=041406 serial=DR12CNR-9501291-TJQ lang=EN O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\s2gc.a01968\PlaxoHelper.exe -a O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1 O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart O4 - Startup: SiOl.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {3707DB0E-E788-491A-8FA7-8C8B9774AAEB} (DigSigX Control) - https://edavki.durs.si/OpenPortal/Gu...hslDigSigX.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://home3.ca.com/PestPatrol/unibl...n/pestscan.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138093693234 O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1D3FFBD9-DD6E-4080-809A-1B4D17063E4D}: NameServer = 193.189.160.13 193.189.160.23 O17 - HKLM\System\CCS\Services\Tcpip\..\{EE7A9DBF-9E28-47CC-B17C-C465B1E3F41E}: NameServer = 193.189.160.11,193.189.160.12 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing) |
|
|
|
|
04-09-2006, 07:56 PM
|
#5 (permalink) |
|
Analyst, Security Team
|
Delete that msv0.dll file and see if it comes back after a restart now. If it still does, do this:
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Please download Ewido Security Suite at http://www.ewido.net/en/download/. 1. Install Ewido Security Suite. 2. When installing, under 'Additional Options' uncheck: * Install background guard * Install scan via context menu 3. Launch Ewido, there should be an icon on your desktop, double click it. 4. The program will now open to the main screen. 5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment. 6. You will need to update Ewido to the latest definition files. * On the left hand side of the main screen click update. * Then click on Start Update. 7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'. 8. Exit Ewido. DO NOT scan yet. If you are having problems with the updater, you can go to http://www.ewido.net/en/download/updates/ to update manually. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet. Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/foru...howtutorial=61 ). CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff. Now open Ewido and do a scan on your system. * Click on scanner. * Click on 'Complete System Scan' and the scan will begin. * While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK. Exit Ewido when it's done. * Once the scan has completed, there will be a button located on the bottom of the screen named 'Save report'. * Click 'Save report'. * Save the report to your desktop. Restart your computer to get back to Normal Mode. Post the Ewido report and a new HijackThis log here.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-10-2006, 02:31 AM
|
#6 (permalink) |
|
Registered User
Join Date: Apr 2006
Posts: 5
OS: XP
|
Done everything you said. Do I need to repeat procedure for all users because there is msv0.dll poping up at their screens too. Mine now looks OK. Here are the logs. Please advise on further steps.
Ewido report: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 10:21:20, 10.4.2006 + Report-Checksum: 99C6613F + Scan result: :mozilla.17:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Adjuggler : Cleaned with backup :mozilla.18:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Adjuggler : Cleaned with backup :mozilla.24:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.25:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.26:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.27:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.29:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.30:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.31:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Yieldmanager : Cleaned with backup :mozilla.32:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.33:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.34:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.35:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.36:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.37:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.38:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.39:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.40:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.41:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.42:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.43:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.44:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.45:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.46:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.47:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.48:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.49:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.50:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.51:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Paypopup : Cleaned with backup :mozilla.70:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Tribalfusion : Cleaned with backup :mozilla.73:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Advertising : Cleaned with backup :mozilla.74:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Advertising : Cleaned with backup :mozilla.75:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Advertising : Cleaned with backup :mozilla.76:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Advertising : Cleaned with backup :mozilla.77:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Advertising : Cleaned with backup :mozilla.78:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Advertising : Cleaned with backup :mozilla.79:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Advertising : Cleaned with backup :mozilla.85:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Sitestat : Cleaned with backup :mozilla.86:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Sitestat : Cleaned with backup :mozilla.89:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Doubleclick : Cleaned with backup :mozilla.110:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Clickhype : Cleaned with backup :mozilla.118:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Com : Cleaned with backup :mozilla.119:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Com : Cleaned with backup :mozilla.129:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Zedo : Cleaned with backup :mozilla.130:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Zedo : Cleaned with backup :mozilla.138:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Falkag : Cleaned with backup :mozilla.139:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Falkag : Cleaned with backup :mozilla.140:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Falkag : Cleaned with backup :mozilla.141:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Falkag : Cleaned with backup :mozilla.145:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.146:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.149:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.150:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Falkag : Cleaned with backup :mozilla.151:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Mediaplex : Cleaned with backup :mozilla.167:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Casalemedia : Cleaned with backup :mozilla.172:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Sexcounter : Cleaned with backup :mozilla.173:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Sexcounter : Cleaned with backup :mozilla.196:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Qksrv : Cleaned with backup :mozilla.197:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Qksrv : Cleaned with backup :mozilla.200:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Starware : Cleaned with backup :mozilla.201:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Starware : Cleaned with backup :mozilla.202:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Starware : Cleaned with backup :mozilla.203:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Starware : Cleaned with backup :mozilla.204:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Starware : Cleaned with backup :mozilla.247:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Yadro : Cleaned with backup :mozilla.282:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Web-stat : Cleaned with backup :mozilla.283:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Web-stat : Cleaned with backup :mozilla.284:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Web-stat : Cleaned with backup :mozilla.443:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.2o7 : Cleaned with backup :mozilla.454:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Oewabox : Cleaned with backup :mozilla.459:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.2o7 : Cleaned with backup :mozilla.462:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.2o7 : Cleaned with backup :mozilla.467:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Ivwbox : Cleaned with backup :mozilla.578:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Komtrack : Cleaned with backup :mozilla.579:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Komtrack : Cleaned with backup :mozilla.605:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.2o7 : Cleaned with backup :mozilla.618:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Clickzs : Cleaned with backup :mozilla.619:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Clickzs : Cleaned with backup :mozilla.629:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Webtrendslive : Cleaned with backup :mozilla.630:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Webtrendslive : Cleaned with backup :mozilla.645:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Doubleclick : Cleaned with backup :mozilla.667:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.2o7 : Cleaned with backup :mozilla.678:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Masterstats : Cleaned with backup :mozilla.692:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Popularix : Cleaned with backup :mozilla.751:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Sitestat : Cleaned with backup :mozilla.752:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Sitestat : Cleaned with backup :mozilla.753:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Sitestat : Cleaned with backup :mozilla.754:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Sitestat : Cleaned with backup :mozilla.818:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Burstnet : Cleaned with backup :mozilla.825:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.2o7 : Cleaned with backup :mozilla.860:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Bfast : Cleaned with backup :mozilla.883:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Euroclick : Cleaned with backup :mozilla.886:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.2o7 : Cleaned with backup :mozilla.892:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.2o7 : Cleaned with backup :mozilla.893:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.2o7 : Cleaned with backup :mozilla.894:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Euroclick : Cleaned with backup :mozilla.912:C:\Documents and Settings\Dejan\Application Data\Mozilla\Firefox\Profiles\5mo68skf.default\cookies.txt.old -> TrackingCookie.Enhance : Cleaned with backup ::Report End HJT log: Logfile of HijackThis v1.99.1 Scan saved at 10:26:06, on 10.4.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ASUS\Asus Probe\AsusProb.exe C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe C:\WINDOWS\CTHELPER.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\Plaxo\s2gc.a01968\PlaxoHelper.exe C:\Program Files\ATI Multimedia\main\ATISched.EXE C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe C:\Program Files\eMule\eMule.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\svchost.exe C:\HJT\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.delo.si/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=041406 serial=DR12CNR-9501291-TJQ lang=EN O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\s2gc.a01968\PlaxoHelper.exe -a O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1 O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\eMule.exe -AutoStart O4 - Startup: SiOl.lnk = ? O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {3707DB0E-E788-491A-8FA7-8C8B9774AAEB} (DigSigX Control) - https://edavki.durs.si/OpenPortal/Gu...hslDigSigX.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://home3.ca.com/PestPatrol/unibl...n/pestscan.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138093693234 O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1D3FFBD9-DD6E-4080-809A-1B4D17063E4D}: NameServer = 193.189.160.13 193.189.160.23 O17 - HKLM\System\CCS\Services\Tcpip\..\{EE7A9DBF-9E28-47CC-B17C-C465B1E3F41E}: NameServer = 193.189.160.11,193.189.160.12 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing) |
|
|
|
|
04-10-2006, 09:39 PM
|
#7 (permalink) |
|
Analyst, Security Team
|
No need to run this in all accounts. Ewido should have caught them already if anything was found. Just delete them from all the desktops (maybe at c:\documents and settings\all users\desktop\msv0.dll).
Your log is clean. To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided. Are there any problems now? If not, you should be set to go.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
| Thread Tools | |
|
|
